P2PE

Overview

The PCI P2PE (point-to-point encryption) is a security standard that requires credit card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor before it can be decrypted and processed. Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach.

A point-to-point encryption solution includes validated hardware, software, and solution provider environment and processes. It may also include validated services from a component provider. All PCI-approved solutions, applications, and components are listed on the Council’s website. Validation is done by a PCI-qualified P2PE assessor.

SC2labs is accreddited by PCI SSC as both PCI QSA (P2PE) and PA-QSA (P2PE)

Glossary

P2PE Solution:

Consists of point-to-point encryption and decryption environments, their configuration and design, and any P2PE components used with these environments. Within the P2PE solution, account data is always entered directly into a PCI-approved POI device with secure reading and exchange of data (SRED) enabled. This approach minimizes exposure of clear-text account data, and protects against point-of-sale exploits such as “memory scraping” malware.

P2PE Application:

Software or other files with access to clear-text account data, intended to be loaded onto a PCI-approved point of interaction (POI) device and used as part of a P2PE solution.

P2PE Component:

A subset of P2PE services including encryption management, decryption management, and key injection, which are provided by a P2PE component provider and included in the P2PE component listing on the PCI website.

P2PE Solution Provider:

An entity, usually a third-party such as a processor, acquirer (merchant bank), or payment gateway, that designs, implements, and manages the P2PE solution. The solution provider may outsource certain responsibilities, but will always retain overall responsibility for the P2PE solution. With P2PE v2, merchants may also chose to act as their own solution provider by implementing a merchant-managed solution (MMS)